Hackers compromise Microsoft Exchange servers to deploy malicious OAuth apps

Microsoft has confirmed the breach that allowed a threat actor to gain access to cloud tenants hosting Microsoft Exchange servers.

“The investigation revealed that the threat actor launched credential stuffing attacks against high-risk accounts that didn’t have multi-factor authentication (MFA) enabled and leveraged the unsecured administrator accounts to gain initial access. The unauthorized access to the cloud tenant enabled the actor to create a malicious OAuth application that added a malicious inbound connector in the email server,” the Microsoft 365 Defender Research Team reported.

Throughout the attack, the attackers used a network of single-tenant applications as an identity platform. In addition, the attackers sent large amounts of spam e-mail over short periods of time via other means, “such as connecting to mail servers from rogue IP addresses or sending directly from legitimate cloud-based bulk email sending infrastructure.”

After compromising the Exchange servers, the attacker used inbound connector and transport rules designed to help evade detection to deliver phishing emails, and then deleted the malicious inbound connector and all transport rules between spam campaigns, a motive that serves as an additional defense evasion measure.

The OAuth application was dormant for months between the attacks until the attacker used it again. For the new wave of attacks, the attacker added new connectors and rules.

The sources for this piece include an article in BleepingComputer.

IT World Canada Staff
IT World Canada Staff
The online resource for Canadian Information Technology professionals.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web